FAQ
- Why did we create CCX Digger?
- How does CCX Digger work?
- Is this just a Yara / IOC scanner?
- How can I contribute?
- What do I do if I need help or support?
- Who is CyberCX?
- What is Velociraptor?
- Will CCX Digger collect my information?
- How do I suggest features?
- How do I use the wiki?
- How do I interpret the report?
Australian organisations and government agencies have been responding to a significant increase in cyber incidents in 2020, as described in the Prime Minister's announcement in June, which raised awareness of the issue.
Various advisories have been published by the Australian Cyber Security Centre (ACSC) which describe specific tactics, techniques and procedures (TTPs). However through CyberCX’s work, we recognise that a significant challenge facing organisations is often a lack of technical capability and forensic knowledge required to leverage this valuable threat intelligence in actionable ways, to detect and respond to sophisticated attackers on their systems.
CCX Digger has been launched to help overcome this challenge, and to help contribute to CyberCX's mission of protecting the communities we live in.
As a proud Australian cyber security company, we want CCX Digger to contribute to the improvement of Australia's national cyber security capabilities by providing a simple, powerful and free scanning tool.
CCX Digger uses specific detection queries (leveraging Yara signatures) built to detect a range of known attacker activities (or Indicators of Compromise (IOCs)), encoded in the powerful Velociraptor Query Language (VQL). Scans can be performed in two ways; on an individual system using a single CCX Digger executable, or across a network by deploying Velociraptor and importing the CCX Digger artefact pack.
CCX Digger uses several VQL methods, including Yara scans for specific strings identifying malware, and other detection techniques. This is what we call a hunt.
For individual scans, an HTML report is produced which lists any findings and provides an explanation for what they mean, with accompanying recommendations on next steps for further investigation required.
Further investigation is often necessary to determine if the results are indeed malicious.
The CCX Digger executable will locally collect suspicious files by copying them into a folder in the same directory as the executable. CCX Digger will not directly remove, modify or change any files on the system, other than the evidence copies and HTML report it creates. CCX Digger will not collect or transmit any data outside of your network, nor will it 'call home'; no network connection is required to scan a system using the tool.
It’s both, and more.
While CCX Digger (and Velociraptor) use Yara signatures, they also provide more advanced detections through the Velociraptor Query Language (VQL). CCX Digger leverages VQL to detect malicious activities through several techniques, including Yara scans for known malware components.
The effectiveness of CCX Digger depends upon the threat intelligence it leverages to detect attacker activities. This intelligence has been kindly contributed voluntarily by our clients and through our government and industry relationships.
We welcome contributions of any additional threat intelligence and are pleased to credit all contributors (or not, if you prefer). Please visit this page for further information on contributing.
If you believe your network may be compromised, or need more assistance to interpret the HTML report generated by CCX Digger, please refer to the Need help? page.
CyberCX is Australia’s leading force of cyber security professionals, with over 500 specialists across Australia, New Zealand, the UK and the USA, providing services across the following practice areas:
- Strategy & Consulting
- Security Testing & Assurance
- Governance, Risk & Compliance
- Security Integration & Engineering
- Identity & Access Management
- Managed Security Services
- Digital Forensics & Incident Response
- Education & Training
The CyberCX Digital Forensics & Incident Response team (DFIR) helps our clients to investigate and respond to a broad range of digital forensic investigations and cyber incidents every day. With the largest number of DFIR specialists across the region, we provide an unmatched depth of technical expertise, industry experience and local resources when and where our clients need us.
Velociraptor is an endpoint visibility platform developed in Australia, which provides leading capabilities for distributed forensic analysis, endpoint monitoring and the surgical collection of evidence from across networks.
The foundation of Velociraptor is a unique query language named VQL which allows writing specific detection queries, known in Velociraptor as Artefacts, which leverage the underlying Velociraptor functionality and can be easily distributed and shared.
CyberCX has been a proud collaborator of the Velociraptor project since its early days. CCX Digger is yet another example of the benefits of this partnership to the cyber security industry and the communities we protect.
CCX Digger's key privacy features include:
- It will not collect any information from your systems
- Full transparency through free and open source software
- Single executable, which requires no installation and has no external dependencies
- No registration, licenses or dongles required
- No collection or transmission of data outside your network
- No ‘calling home’ and no external network connections required to run a scan.
We welcome all feedback to help improve future versions. Please submit all issues and feature requests through our CCX Labs GitHub site at https://github.com/CCXLabs/CCXDigger
After conducting a scan on your system or network, a report will be generated containing any hits found. To best use the report, the wiki can be used in the following way:
- Each finding within the report will link to an appropriate wiki page, which will provide guidance on interpreting the results.
- Investigation into each finding is highly recommended to verify whether it indicates malicious activity.
- Each wiki page contains general guidance for investigating findings on your own, under the Interpreting the Results section.
Each wiki page for a finding is structured in the following way:
- Overview: A summary of the search.
- Detection Approach: How the search is performed, including what contextual information may be involved.
- Detection Artefact: The name of the specific artefact used by CCX Digger to identify the indicator.
- Threat Intelligence Sources: The origin of threat information from which the search was derived.
- Interpreting the Results: How to contextualise the results of the HTML report and any hits which may be present.
- Investigations: General guidance on how to investigate each finding. Please note the specific finding which the HTML report returns, as there may be multiple results for each artefact. (For example, an artefact which searches for many webshells may find only one specific hit; make sure to review the recommended investigation steps for that specific result.).
- References: Any references that may assist to understand the detection approach and findings.
- Need Help?: What to do if you believe your system may be compromised, or need further guidance on interpreting the results.
- Revision History: Details relevant version information for the artefact.
